Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor to restrict access to user namespaces. Qualys has reported three ways to bypass AppArmor's restrictions and enable local users to gain full administrative capabilities within a user namespace. Ubuntu has followed up with a post that explains the namespace-restriction feature in detail, and says these bypasses do not constitute security vulnerabilities.
While a superficial observation of the application of user namespaces may indicate privileged (root level) access, this is a fictitious state that is operating as expected, with access control still mapped to the real (root namespace) user's permissions. As such, these bypasses do not enable more access than what the default Linux kernel unprivileged user namespace feature allows in most Linux distributions. They do, however, demonstrate limitations that we are looking to address in order to strengthen existing protections against as-of-yet-unknown Linux kernel vulnerabilities.
LWN covered Ubuntu 24.04 LTS last May.
Presumably the crawlers will now have to up both their scraping stealth and their ability to filter out AI-generated content like this. Which means the honeypots will have to get better at detecting scrapers and more stealthy in their fake content. This arms race is likely to go back and forth, wasting a lot of energy in the process.— Bruce Schneier on a new AI-scraper-bot defense
Stable updates: 6.13.9, 6.12.21, 6.6.85, and 6.1.132 were released on March 28.
The Linux kernel is massive — approximately 28 million lines of code. Since 2005, more than 13,500 developers from more than 1,300 different companies have contributed to the Linux kernel. Additionally, there are many kernel versions, and developers update the code constantly, distributing that code to developers who are working on various distributions of Linux. Akamai now delivers the infrastructure that these developers and their users rely on, at no cost, supporting the Git environments developers use to access kernel sources quickly, regardless of where they're based.
Outgoing Fedora Project Leader (FPL) Matthew Miller has announced his successor, Jef Spaleta.
Some of you may remember Jef's passionate voice in the early Fedora community. He got involved all the way back in the days of fedora.us, before Red Hat got involved. Jef served on the Fedora Board from July 2007 through the end of 2008. This was the critical time after Fedora Extras and Fedora Core merged into one Fedora Linux where, with the launch of the "Features" process, Fedora became a truly community-led project.
Spaleta will be joining Red Hat full time in May and Miller will be formally handing off FPL duties at the Flock conference in June.
Version 2.0 of PorteuX, a distribution based on Slackware Linux, has been released. This release adds the ability to test experimental Wayland sessions for the Cinnamon, LXQt, and Xfce desktops. PorteuX 2.0 updates the Linux kernel to 6.14 and includes many package updates and bug fixes. Users have the choice of PorteuX stable or its rolling release called current. See the install.txt for instructions on installing PorteuX to disk.
I am very much in favor of continuing to improve reproducibility and auditability in general. However, as a general response to this discussion, I'd like to caution against writing new policies that implicitly rely on any of the following falsehoods:
- All upstreams use some kind of forge, with features like automatic source archives for tags and commits
- All upstreams use a VCS with public read access
- All upstreams use a VCS
- All package sources can be expressed as URLs
- All correct source URLs yield stable/reproducible downloads
- The processes upstreams use to produce "release" archives from raw VCS sources can always be imitated downstream
- All necessary and useful packages in Fedora have active upstreams
- All inactive upstreams still have at least some kind of archived web presence where a canonical copy of the last release can be downloaded
It's useful to provide guiding principles, and to provide concrete guidance for common cases, but it's also important to acknowledge that Fedora packagers have to deal with a wide variety of upstreams and ecosystems, some of them deeply idiosyncratic.
KDE contributor David Edmundson has published a blog post about improving KDE Plasma's login experience by replacing SDDM with a new Plasma Login Manager.
It's worth stressing nothing is official or set in stone yet, whilst it has come up in previous Plasma online meetings and in the 2023 Akademy. I'm posting this whilst starting a more official discussion on the plasma-devel mailing list.
Oliver Beard and I have made a new mutli-process greeter, that uses the same startup mechanism as the desktop session. It doesn't have all the features that we propose at the start of the blog, but an architecture where features and services can be slowly and safely added.
That discussion is here for those who would like to follow along. The prototype is currently in two repositories: plasma-login for the frontend work, and plasma-login-manager, which is a fork of SDDM.
One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project has announced that it will be adopting the Ferrocene Language Specification (FLS) developed by Ferrous Systems and maintaining it as part of the core project. While this may not satisfy die-hard standardization-process enthusiasts, it's a step toward removing another barrier to using Rust in safety-critical systems.
It's in that light that we're pleased to announce that we'll be adopting the FLS into the Rust Project as part of our ongoing specification efforts. This adoption is being made possible by the gracious donation of the FLS by Ferrous Systems. We're grateful to them for the work they've done in assembling the FLS, in making it fit for qualification purposes, in promoting its use and the use of Rust generally in safety-critical industries, and now, for working with us to take the next step and to bring the FLS into the Project.
Ryan Sipes has announced
efforts to expand Thunderbird's offerings with web services to
"enhance the experience of using Thunderbird
".
The Why for offering these services is simple. Thunderbird loses users each day to rich ecosystems that are both clients and services, such as Gmail and Office365. These ecosystems have both hard vendor lock-ins (through interoperability issues with 3rd-pary clients) and soft lock-ins (through convenience and integration between their clients and services). It is our goal to eventually have a similar offering so that a 100% open source, freedom-respecting alternative ecosystem is available for those who want it.
The planned services include hosted email, appointment scheduling,
a revival of Firefox Send,
and (of course) an AI assistant based on a partnership with Flower AI. The AI features will
"always be optional for use by people who want them
". Sipes is
managing director of product for Thunderbird's parent organization, MZLA
Technologies Corporation. LWN covered his
GUADEC 2024 keynote last July.
We're incredibly grateful to have Dave as our friend, mentor, and as someone who continuously inspired us – showing us that we could do better for each other in the world, and leverage technology to make that happen. He will be dearly missed".
Searching through LWN's archives will turn up many references to his work fixing WiFi, improving queue management, tackling bufferbloat, and more. Farewell, Dave, we hope the music is good wherever you are.
(Thanks to Jon Masters for the heads-up).
Page editor: Daroc Alden
Next page:
Announcements>>
Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds